Data protection =/= Privacy | The Cat Herder, Volume 3, Issue 4

Hidden defibrillators; one facial recognition lawsuit leaves, another one enters; tracking and tradin   February 2 · Issue #68 · View online Hidden defibrillators; one facial recognition lawsuit leaves, another one enters; tracking and trading of data; a video in the section called What We’re Reading; not that much about elections. It’s all below. 😼 Peter Naughton has set up a new initiative in Co Laois to map the location of the portable devices, used to assist somebody suffering from sudden cardiac arrest, after the HSE said they could not publicly reveal their whereabouts due to GDPR regulations. Call for HSE to provide location of defibrillators www.rte.ie – Share A retired consultant surgeon has said more lives could be saved if the HSE worked with community groups to publicly identify the location of defibrillators. Defibrillators, not being people, don’t have data protection rights. Vital interests is a lawful basis for processing personal data. The HSE is one of the largest employers in Ireland and seemingly doesn’t have anyone on staff to give them some common sense advice on data protection. Since it’s election time here in Ireland there hasn’t been much coverage of data buffoonery in the public sector over the last while. Sinn Féin’s John Brady appears to be the only politician who has taken a position on the Public Services Card project, committing his party to implementing the findings of the Data Protection Commission. John Brady TD @johnbradysf @Tupp_Ed @willieodeaLIVE @EamonRyan @KHumphreysDBS @CathMurphyTD @bridsmithTD We would immediately implement all the findings of the DPC. 11:13 PM - 20 Jan 2020 Elsewhere the wheels of discriminatory digital identity projects continue to turn. In an audacious move which no doubt impressed some folks in a couple of Irish government departments, the Kenyan government went seriously all in, shot for the moon and initially attempted to gather DNA* and location data in addition to biometrics for their PSC equivalent. Kenyan courts said no to that. Idemia, the French firm that won the contract to supply Kenya’s biometric kits, was already embroiled in controversy for its work on Kenya’s 2017 elections and was sanctioned by Parliament last year — a move Idemia is challenging in court. Idemia is also involved in the Public Services Card project, although you wouldn’t know it if you consulted the information provided by the Department of Employment Affairs and Social Protection on the psc.gov.ie website. This information does not appear to have been updated since late 2017, before the introduction of the GDPR and Data Protection Act 2018 in May 2018. It refers on multiple occasions to “the Data Protection Acts 1988 and 2003”, mentions “the Register maintained by the Data Protection Commissioner” which no longer exists and identifies the company which produces the cards as “Biometric Card Services”. That the department hasn’t bothered to update this (mandatory) information for the benefit of individuals whose data it processes illustrates how seriously the Irish state takes its data protection obligations. In Australia the familiarly-named myGovID has its own problems. There are also similarities, such as the decision to develop the project in secret. The project is being led by the Digital Transformation Agency, and the agency kept it deliberately low profile, with little attempts to make the public aware of the digital identity play. No matter where you go it seems transparency in the processing of personal data is not a concept that appeals to bureaucrats. *Of course in Ireland the state has permitted a private company to harvest the DNA of citizens both living and dead for private profit, and invested something in the region of €70 million in this private company. A company which reported a loss of close to €38 million recently and is the subject of a “widespread compliance and supervision exercise” by the Data Protection Commission It could, it really could. Facebook settled a lawsuit in Illinois over its use of facial recognition; another one was filed against Clearview AI. Here we have a collection of wonderful examples of a product or service being provided to consumers ostensibly as a way to increase their security which ends up not really doing that and exposing them to other risks. Ring Doorbell App Packed with Third-Party Trackers | Electronic Frontier Foundation www.eff.org – Share Ring isn’t just a product that allows users to surveil their neighbors. The company also uses it to surveil its customers.An investigation by EFF of the Ring doorbell app for Android found it to be packed with third-party trackers sending out a plethora of customers’ personally identifiable… Tinder's Panic Button Partner, Noonlight, Shares Data With Third Parties gizmodo.com – Share Tinder has a proven track record of providing a dating platform to some less-than-stellar men who have been accused of raping—and in one grisly case, dismembering—women they’ve met through the platform. But even when the company does something right, there are still privacy trade-offs to consider. Leaked Documents Expose the Secretive Market for Your Web Browsing Data - VICE www.vice.com – Share An Avast antivirus subsidiary sells ‘Every search. Every click. Every buy. On every site.’ Its clients have included Home Depot, Google, Microsoft, Pepsi, and McKinsey. Joseph Cox @josephfcox Was taken aback by the bluntness of Avast/Jumpshot's internal documents on its sale of users' browsing data. "The data set is almost like an Apache log for the entire Internet for every device in the panel." https://t.co/i5s2lX8FJL https://t.co/fvwpR25q1S 2:27 PM - 27 Jan 2020 The DPC has a new podcast episode about data protection rights for voters. … The ICO released a statement on data protection and Brexit. Business as usual until the end of the transition period at the end of this calendar year. — The EDPS published a quick guide to necessity and proportionality. Any limitation of the fundamental right to data protection must be necessary and proportionate. This is something that a very large number of data controllers do not seem to grasp currently. 📹 It’s a Sunday. What you definitely need is a 25 minute Socratic dialogue, framed around getting into a nightclub, about the harms inherent in the data economy as it is currently configured. Highly recommended. “if you have a data protection problem, then you need a data protection professional – not a privacy professional – or at least someone who can tell the difference between the two.” ‘If you mean Data Protection, don’t say Privacy’ says Niall Rooney of FP Logue. “What we’re going to see, in my opinion, as a result, is that collecting more logs is bad. The more you keep, the more you have to delete. The more you have to provide back to customers. The more liability there is for breaches of the kind that GDPR is exposing.” Data scientist Vicki Boykis pointing out what data protection professionals have known for years. ‘Collect all the data and figure out what to do with it later’ is not sustainable or prudent. Nor is it legal in the vast majority of cases. The University of East Anglia has paid out more than £140,000 to affected data subjects after a data breach in 2017, writes Chris Matthews in Concrete. “Ian Callaghan, the chief resource officer and university secretary at UEA, told Concrete: “This figure [£142,512.16] relates entirely to a single breach in June 2017, which involved personal data being sent in error to a student group email address. This was paid in full by the university’s insurers on UEA’s behalf.” —— Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Hidden defibrillators; one facial recognition lawsuit leaves, another one enters; tracking and trading of data; a video in the section called What We’re Reading; not that much about elections. It’s all below.

😼

A retired consultant surgeon has said more lives could be saved if the HSE worked with community groups to publicly identify the location of defibrillators.

• Defibrillators, not being people, don’t have data protection rights.
• Vital interests is a lawful basis for processing personal data.
• The HSE is one of the largest employers in Ireland and seemingly doesn’t have anyone on staff to give them some common sense advice on data protection.

Since it’s election time here in Ireland there hasn’t been much coverage of data buffoonery in the public sector over the last while. Sinn Féin’s John Brady appears to be the only politician who has taken a position on the Public Services Card project, committing his party to implementing the findings of the Data Protection Commission.

Elsewhere the wheels of discriminatory digital identity projects continue to turn. In an audacious move which no doubt impressed some folks in a couple of Irish government departments, the Kenyan government went seriously all in, shot for the moon and initially attempted to gather DNA* and location data in addition to biometrics for their PSC equivalent. Kenyan courts said no to that.

Idemia is also involved in the Public Services Card project, although you wouldn’t know it if you consulted the information provided by the Department of Employment Affairs and Social Protection on the psc.gov.ie website. This information does not appear to have been updated since late 2017, before the introduction of the GDPR and Data Protection Act 2018 in May 2018. It refers on multiple occasions to “the Data Protection Acts 1988 and 2003”, mentions “the Register maintained by the Data Protection Commissioner” which no longer exists and identifies the company which produces the cards as “Biometric Card Services”. That the department hasn’t bothered to update this (mandatory) information for the benefit of individuals whose data it processes illustrates how seriously the Irish state takes its data protection obligations.

In Australia the familiarly-named myGovID has its own problems. There are also similarities, such as the decision to develop the project in secret.

No matter where you go it seems transparency in the processing of personal data is not a concept that appeals to bureaucrats.

*Of course in Ireland the state has permitted a private company to harvest the DNA of citizens both living and dead for private profit, and invested something in the region of €70 million in this private company. A company which reported a loss of close to €38 million recently and is the subject of a “widespread compliance and supervision exercise” by the Data Protection Commission

Facebook settled a lawsuit in Illinois over its use of facial recognition; another one was filed against Clearview AI.

Here we have a collection of wonderful examples of a product or service being provided to consumers ostensibly as a way to increase their security which ends up not really doing that and exposing them to other risks.

Ring isn’t just a product that allows users to surveil their neighbors. The company also uses it to surveil its customers.An investigation by EFF of the Ring doorbell app for Android found it to be packed with third-party trackers sending out a plethora of customers’ personally identifiable…

Tinder has a proven track record of providing a dating platform to some less-than-stellar men who have been accused of raping—and in one grisly case, dismembering—women they’ve met through the platform. But even when the company does something right, there are still privacy trade-offs to consider.

An Avast antivirus subsidiary sells ‘Every search. Every click. Every buy. On every site.’ Its clients have included Home Depot, Google, Microsoft, Pepsi, and McKinsey.

The DPC has a new podcast episode about data protection rights for voters.

…

The ICO released a statement on data protection and Brexit. Business as usual until the end of the transition period at the end of this calendar year.

—

The EDPS published a quick guide to necessity and proportionality. Any limitation of the fundamental right to data protection must be necessary and proportionate. This is something that a very large number of data controllers do not seem to grasp currently.

• 📹 It’s a Sunday. What you definitely need is a 25 minute Socratic dialogue, framed around getting into a nightclub, about the harms inherent in the data economy as it is currently configured. Highly recommended.
• “if you have a data protection problem, then you need a data protection professional – not a privacy professional – or at least someone who can tell the difference between the two.” ‘If you mean Data Protection, don’t say Privacy’ says Niall Rooney of FP Logue.
• “What we’re going to see, in my opinion, as a result, is that collecting more logs is bad. The more you keep, the more you have to delete. The more you have to provide back to customers. The more liability there is for breaches of the kind that GDPR is exposing.” Data scientist Vicki Boykis pointing out what data protection professionals have known for years. ‘Collect all the data and figure out what to do with it later’ is not sustainable or prudent. Nor is it legal in the vast majority of cases.
• The University of East Anglia has paid out more than £140,000 to affected data subjects after a data breach in 2017, writes Chris Matthews in Concrete. “Ian Callaghan, the chief resource officer and university secretary at UEA, told Concrete: “This figure [£142,512.16] relates entirely to a single breach in June 2017, which involved personal data being sent in error to a student group email address. This was paid in full by the university’s insurers on UEA’s behalf.”

——

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.